From c89bcd12f4fc7233830a8dbe7863c312f657da3c Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sun, 14 Apr 2013 09:33:57 -0700 Subject: [PATCH] Xdmx: integer overflow in GetGLXVisualConfigs() numVisuals & numProps are both CARD32 and need to be bounds checked before multiplying by structure sizes to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- hw/dmx/dmx_glxvisuals.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/hw/dmx/dmx_glxvisuals.c b/hw/dmx/dmx_glxvisuals.c index f903b7491..027557add 100644 --- a/hw/dmx/dmx_glxvisuals.c +++ b/hw/dmx/dmx_glxvisuals.c @@ -37,6 +37,7 @@ #include #include #include +#include #include "dmx_glxvisuals.h" @@ -84,7 +85,10 @@ GetGLXVisualConfigs(Display * dpy, int screen, int *nconfigs) SyncHandle(); return NULL; } - props = (INT32 *) Xmalloc(nprops * __GLX_SIZE_CARD32); + if (nprops < (INT_MAX / __GLX_SIZE_CARD32)) + props = Xmalloc(nprops * __GLX_SIZE_CARD32); + else + props = NULL; if (!props) { UnlockDisplay(dpy); SyncHandle(); @@ -92,15 +96,16 @@ GetGLXVisualConfigs(Display * dpy, int screen, int *nconfigs) } /* Allocate memory for our config structure */ - config = (__GLXvisualConfig *) - Xmalloc(nvisuals * sizeof(__GLXvisualConfig)); + if (nvisuals < (INT_MAX / sizeof(__GLXvisualConfig))) + config = Xcalloc(nvisuals, sizeof(__GLXvisualConfig)); + else + config = NULL; if (!config) { free(props); UnlockDisplay(dpy); SyncHandle(); return NULL; } - memset(config, 0, nvisuals * sizeof(__GLXvisualConfig)); configs = config; num_good_visuals = 0;